Data Governance News: Updates for Small Businesses

Data governance is moving fast. Microsoft is tightening SharePoint storage policies, AI tools like Copilot are exposing data oversharing risks, and regulators worldwide are introducing new frameworks for AI governance and data management.

This page tracks the developments that matter for businesses managing their data. Updated regularly with Microsoft 365 policy changes, AI governance requirements, storage management updates, and regulatory shifts that affect how your organisation handles its information.

Bookmark this page. When Microsoft changes a policy or a new AI regulation takes effect, check here first.

---

February 2026

Microsoft retires standalone SharePoint and OneDrive plans

Microsoft announced it will retire standalone SharePoint Online Plan 1 and Plan 2, and OneDrive for Business Plan 1 and Plan 2 licenses. Sales cease on 31 May 2026, with no contract renewals after January 2027. Service continues until December 2029.

This pushes all customers toward Microsoft 365 suite licenses — which include more storage but at higher per-user costs. For small businesses currently on standalone SharePoint plans, this is a forced migration that requires planning.

What to do: Review your current SharePoint and OneDrive licensing. If you are on standalone plans, start evaluating Microsoft 365 Business Basic ($6/user/month) or Business Standard ($12.50/user/month) as replacements. Factor in total cost of ownership including the additional services bundled in suite licenses.

NIST launches AI Agent Standards Initiative

In February 2026, NIST officially released the AI Agent Standards Initiative, marking the beginning of standardisation work for AI agents — systems that can take autonomous actions on behalf of users. This builds on the NIST AI Risk Management Framework (AI RMF 1.0) and the Generative AI Profile (AI 600-1) released in 2024.

For businesses deploying AI tools like Microsoft Copilot or third-party AI agents, these emerging standards will shape future compliance expectations. Data governance foundations — knowing where your data is, who can access it, and how it is classified — are prerequisites for any AI agent deployment.

What to do: Review the NIST AI RMF 1.0 and consider how your data governance practices align with its risk management principles. Organisations with strong data governance will be better positioned when formal AI agent standards arrive.

---

December 2025

Trump signs AI executive order targeting state AI laws

On 11 December 2025, President Trump signed an executive order titled "Ensuring a National Policy Framework for Artificial Intelligence." The order directs the Department of Justice to establish an AI Litigation Task Force to challenge state AI laws deemed inconsistent with federal policy, and threatens federal funding restrictions for states with "onerous" AI regulations.

This creates uncertainty for businesses navigating the growing patchwork of state-level AI laws. While the order aims to simplify compliance by establishing a uniform federal framework, the transition period may produce conflicting requirements as state and federal policies are reconciled.

What to do: Track which state AI laws may be affected by federal preemption. If your organisation operates across multiple US states, a unified approach to AI governance is increasingly important.

---

November 2025

Microsoft Ignite 2025: Copilot governance and security updates

At Ignite 2025, Microsoft announced expanded security and governance tools for Microsoft 365 Copilot. Key updates include Microsoft Purview Data Loss Prevention (DLP) for Copilot reaching general availability — blocking Copilot from processing files and emails with specific sensitivity labels — and expanded data risk assessments with item-level investigation and bulk remediation of overshared links.

These tools address the oversharing problem that Copilot has made impossible to ignore. Research shows 16% of business-critical data is overshared on average, totalling approximately 802,000 files per organisation at risk. When Copilot can surface any content a user has access to, broadly shared files become a liability.

What to do: If you use Microsoft 365 Copilot, enable Purview DLP policies to restrict Copilot's access to sensitive content. Run a data risk assessment from the Microsoft 365 admin centre to identify overshared files and sites.

Microsoft 365 Archive eliminates reactivation fees

Microsoft eliminated reactivation fees for Microsoft 365 Archive content effective 31 March 2025, making it cheaper to move inactive SharePoint content to cold storage and bring it back when needed. Archive storage costs up to 75% less than standard SharePoint storage ($0.05/GB/month versus the $0.20/GB/month overage rate).

For organisations hitting SharePoint storage limits, Archive provides a way to reduce costs without deleting data. File-level archiving — allowing individual documents to be archived without taking entire sites offline — is expected in preview by March 2026 and GA by July 2026.

What to do: Identify inactive SharePoint sites consuming storage. Move them to Microsoft 365 Archive to free up pooled storage and avoid the $0.20/GB/month overage charges. Each Microsoft 365 tenant gets 1 TB plus 10 GB per licensed user of pooled SharePoint storage — anything above that costs real money.

---

August 2025

EU AI Act: General-purpose AI obligations take effect

The EU AI Act's obligations for general-purpose AI (GPAI) models took effect on 2 August 2025. Providers of GPAI models must now comply with transparency requirements including maintaining technical documentation, publishing content usage policies, and implementing copyright compliance measures.

The next major milestone is 2 August 2026, when obligations for high-risk AI systems in Annex III and transparency rules under Article 50 come into force. Penalties for non-compliance are significant: up to €35 million or 7% of worldwide turnover for prohibited practices.

What to do: If your organisation develops or deploys AI systems that serve EU users, review the EU AI Act risk classification. Most businesses using off-the-shelf AI tools like Copilot are deployers rather than providers, but deployers of high-risk AI systems will have their own obligations from August 2026.

---

Late 2024 — Early 2025

Trump rescinds Biden AI executive order

On 20 January 2025, President Trump rescinded Executive Order 14110 — Biden's "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence" order from October 2023. Three days later, he signed Executive Order 14179, "Removing Barriers to American Leadership in Artificial Intelligence," signalling a shift from oversight and risk mitigation toward deregulation and innovation promotion.

For businesses, this means less federal guidance on AI risk management but potentially fewer compliance obligations at the federal level. State-level AI laws continue to develop independently, and the EU AI Act applies regardless of US federal policy.

SharePoint Advanced Management bundled with Copilot licenses

From January 2025, Microsoft began bundling SharePoint Advanced Management (SAM) features with Microsoft 365 Copilot licenses. SAM provides data access governance reports, site access reviews, and oversharing detection — tools that help organisations identify and remediate the data governance gaps that Copilot makes visible.

Previously a separate add-on, SAM's inclusion with Copilot licenses reflects Microsoft's acknowledgement that AI readiness requires better data governance. Site access reviews allow administrators to delegate the review of overshared sites to site owners directly.

What to do: If you have Copilot licenses, enable SharePoint Advanced Management and run data access governance reports. These reports identify sites with broadly shared content — the same content Copilot can surface to any user with access.

EU AI Act: Prohibited AI practices take effect

The first binding obligations under the EU AI Act took effect on 2 February 2025, prohibiting AI systems that pose unacceptable risks. These include AI systems that use subliminal manipulation techniques, exploit vulnerabilities of specific groups, enable social scoring by public authorities, and deploy real-time biometric identification in public spaces (with limited exceptions).

While most small businesses are unlikely to deploy prohibited AI systems, the broader message is clear: AI governance is becoming a regulatory requirement, not a best practice.

---